diff options
Diffstat (limited to 'vendor/github.com/minio/minio-go')
5 files changed, 120 insertions, 42 deletions
diff --git a/vendor/github.com/minio/minio-go/v7/api-get-options.go b/vendor/github.com/minio/minio-go/v7/api-get-options.go index bb86a5994..a0216e201 100644 --- a/vendor/github.com/minio/minio-go/v7/api-get-options.go +++ b/vendor/github.com/minio/minio-go/v7/api-get-options.go @@ -87,10 +87,10 @@ func (o *GetObjectOptions) Set(key, value string) { } // SetReqParam - set request query string parameter -// supported key: see supportedQueryValues. +// supported key: see supportedQueryValues and allowedCustomQueryPrefix. // If an unsupported key is passed in, it will be ignored and nothing will be done. func (o *GetObjectOptions) SetReqParam(key, value string) { - if !isStandardQueryValue(key) { + if !isCustomQueryValue(key) && !isStandardQueryValue(key) { // do nothing return } @@ -101,10 +101,10 @@ func (o *GetObjectOptions) SetReqParam(key, value string) { } // AddReqParam - add request query string parameter -// supported key: see supportedQueryValues. +// supported key: see supportedQueryValues and allowedCustomQueryPrefix. // If an unsupported key is passed in, it will be ignored and nothing will be done. func (o *GetObjectOptions) AddReqParam(key, value string) { - if !isStandardQueryValue(key) { + if !isCustomQueryValue(key) && !isStandardQueryValue(key) { // do nothing return } diff --git a/vendor/github.com/minio/minio-go/v7/api-object-tagging.go b/vendor/github.com/minio/minio-go/v7/api-object-tagging.go index 305c36de8..6623e262a 100644 --- a/vendor/github.com/minio/minio-go/v7/api-object-tagging.go +++ b/vendor/github.com/minio/minio-go/v7/api-object-tagging.go @@ -32,6 +32,12 @@ import ( // to update tag(s) of a specific object version type PutObjectTaggingOptions struct { VersionID string + Internal AdvancedObjectTaggingOptions +} + +// AdvancedObjectTaggingOptions for internal use by MinIO server - not intended for client use. +type AdvancedObjectTaggingOptions struct { + ReplicationProxyRequest string } // PutObjectTagging replaces or creates object tag(s) and can target @@ -50,7 +56,10 @@ func (c *Client) PutObjectTagging(ctx context.Context, bucketName, objectName st if opts.VersionID != "" { urlValues.Set("versionId", opts.VersionID) } - + headers := make(http.Header, 0) + if opts.Internal.ReplicationProxyRequest != "" { + headers.Set(minIOBucketReplicationProxyRequest, opts.Internal.ReplicationProxyRequest) + } reqBytes, err := xml.Marshal(otags) if err != nil { return err @@ -63,6 +72,7 @@ func (c *Client) PutObjectTagging(ctx context.Context, bucketName, objectName st contentBody: bytes.NewReader(reqBytes), contentLength: int64(len(reqBytes)), contentMD5Base64: sumMD5Base64(reqBytes), + customHeader: headers, } // Execute PUT to set a object tagging. @@ -83,6 +93,7 @@ func (c *Client) PutObjectTagging(ctx context.Context, bucketName, objectName st // to fetch the tagging key/value pairs type GetObjectTaggingOptions struct { VersionID string + Internal AdvancedObjectTaggingOptions } // GetObjectTagging fetches object tag(s) with options to target @@ -96,12 +107,16 @@ func (c *Client) GetObjectTagging(ctx context.Context, bucketName, objectName st if opts.VersionID != "" { urlValues.Set("versionId", opts.VersionID) } - + headers := make(http.Header, 0) + if opts.Internal.ReplicationProxyRequest != "" { + headers.Set(minIOBucketReplicationProxyRequest, opts.Internal.ReplicationProxyRequest) + } // Execute GET on object to get object tag(s) resp, err := c.executeMethod(ctx, http.MethodGet, requestMetadata{ - bucketName: bucketName, - objectName: objectName, - queryValues: urlValues, + bucketName: bucketName, + objectName: objectName, + queryValues: urlValues, + customHeader: headers, }) defer closeResponse(resp) @@ -121,6 +136,7 @@ func (c *Client) GetObjectTagging(ctx context.Context, bucketName, objectName st // RemoveObjectTaggingOptions holds the version id of the object to remove type RemoveObjectTaggingOptions struct { VersionID string + Internal AdvancedObjectTaggingOptions } // RemoveObjectTagging removes object tag(s) with options to control a specific object @@ -134,12 +150,16 @@ func (c *Client) RemoveObjectTagging(ctx context.Context, bucketName, objectName if opts.VersionID != "" { urlValues.Set("versionId", opts.VersionID) } - + headers := make(http.Header, 0) + if opts.Internal.ReplicationProxyRequest != "" { + headers.Set(minIOBucketReplicationProxyRequest, opts.Internal.ReplicationProxyRequest) + } // Execute DELETE on object to remove object tag(s) resp, err := c.executeMethod(ctx, http.MethodDelete, requestMetadata{ - bucketName: bucketName, - objectName: objectName, - queryValues: urlValues, + bucketName: bucketName, + objectName: objectName, + queryValues: urlValues, + customHeader: headers, }) defer closeResponse(resp) diff --git a/vendor/github.com/minio/minio-go/v7/api.go b/vendor/github.com/minio/minio-go/v7/api.go index 88a9eacc3..f8a9b34cb 100644 --- a/vendor/github.com/minio/minio-go/v7/api.go +++ b/vendor/github.com/minio/minio-go/v7/api.go @@ -127,7 +127,7 @@ type Options struct { // Global constants. const ( libraryName = "minio-go" - libraryVersion = "v7.0.65" + libraryVersion = "v7.0.66" ) // User Agent should always following the below style. diff --git a/vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go b/vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go index 0c9536deb..c5153c4ca 100644 --- a/vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go +++ b/vendor/github.com/minio/minio-go/v7/pkg/credentials/iam_aws.go @@ -54,19 +54,36 @@ type IAM struct { // Custom endpoint to fetch IAM role credentials. Endpoint string + + // Region configurable custom region for STS + Region string + + // Support for container authorization token https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html + Container struct { + AuthorizationToken string + CredentialsFullURI string + CredentialsRelativeURI string + } + + // EKS based k8s RBAC authorization - https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html + EKSIdentity struct { + TokenFile string + RoleARN string + RoleSessionName string + } } // IAM Roles for Amazon EC2 // http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html const ( - defaultIAMRoleEndpoint = "http://169.254.169.254" - defaultECSRoleEndpoint = "http://169.254.170.2" - defaultSTSRoleEndpoint = "https://sts.amazonaws.com" - defaultIAMSecurityCredsPath = "/latest/meta-data/iam/security-credentials/" - tokenRequestTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds" - tokenPath = "/latest/api/token" - tokenTTL = "21600" - tokenRequestHeader = "X-aws-ec2-metadata-token" + DefaultIAMRoleEndpoint = "http://169.254.169.254" + DefaultECSRoleEndpoint = "http://169.254.170.2" + DefaultSTSRoleEndpoint = "https://sts.amazonaws.com" + DefaultIAMSecurityCredsPath = "/latest/meta-data/iam/security-credentials/" + TokenRequestTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds" + TokenPath = "/latest/api/token" + TokenTTL = "21600" + TokenRequestHeader = "X-aws-ec2-metadata-token" ) // NewIAM returns a pointer to a new Credentials object wrapping the IAM. @@ -84,21 +101,55 @@ func NewIAM(endpoint string) *Credentials { // the desired func (m *IAM) Retrieve() (Value, error) { token := os.Getenv("AWS_CONTAINER_AUTHORIZATION_TOKEN") + if token == "" { + token = m.Container.AuthorizationToken + } + + relativeURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI") + if relativeURI == "" { + relativeURI = m.Container.CredentialsRelativeURI + } + + fullURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_FULL_URI") + if fullURI == "" { + fullURI = m.Container.CredentialsFullURI + } + + identityFile := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE") + if identityFile == "" { + identityFile = m.EKSIdentity.TokenFile + } + + roleArn := os.Getenv("AWS_ROLE_ARN") + if roleArn == "" { + roleArn = m.EKSIdentity.RoleARN + } + + roleSessionName := os.Getenv("AWS_ROLE_SESSION_NAME") + if roleSessionName == "" { + roleSessionName = m.EKSIdentity.RoleSessionName + } + + region := os.Getenv("AWS_REGION") + if region == "" { + region = m.Region + } + var roleCreds ec2RoleCredRespBody var err error endpoint := m.Endpoint switch { - case len(os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")) > 0: + case identityFile != "": if len(endpoint) == 0 { - if len(os.Getenv("AWS_REGION")) > 0 { - if strings.HasPrefix(os.Getenv("AWS_REGION"), "cn-") { - endpoint = "https://sts." + os.Getenv("AWS_REGION") + ".amazonaws.com.cn" + if region != "" { + if strings.HasPrefix(region, "cn-") { + endpoint = "https://sts." + region + ".amazonaws.com.cn" } else { - endpoint = "https://sts." + os.Getenv("AWS_REGION") + ".amazonaws.com" + endpoint = "https://sts." + region + ".amazonaws.com" } } else { - endpoint = defaultSTSRoleEndpoint + endpoint = DefaultSTSRoleEndpoint } } @@ -106,15 +157,15 @@ func (m *IAM) Retrieve() (Value, error) { Client: m.Client, STSEndpoint: endpoint, GetWebIDTokenExpiry: func() (*WebIdentityToken, error) { - token, err := os.ReadFile(os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")) + token, err := os.ReadFile(identityFile) if err != nil { return nil, err } return &WebIdentityToken{Token: string(token)}, nil }, - RoleARN: os.Getenv("AWS_ROLE_ARN"), - roleSessionName: os.Getenv("AWS_ROLE_SESSION_NAME"), + RoleARN: roleArn, + roleSessionName: roleSessionName, } stsWebIdentityCreds, err := creds.Retrieve() @@ -123,17 +174,16 @@ func (m *IAM) Retrieve() (Value, error) { } return stsWebIdentityCreds, err - case len(os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")) > 0: + case relativeURI != "": if len(endpoint) == 0 { - endpoint = fmt.Sprintf("%s%s", defaultECSRoleEndpoint, - os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")) + endpoint = fmt.Sprintf("%s%s", DefaultECSRoleEndpoint, relativeURI) } roleCreds, err = getEcsTaskCredentials(m.Client, endpoint, token) - case len(os.Getenv("AWS_CONTAINER_CREDENTIALS_FULL_URI")) > 0: + case fullURI != "": if len(endpoint) == 0 { - endpoint = os.Getenv("AWS_CONTAINER_CREDENTIALS_FULL_URI") + endpoint = fullURI var ok bool if ok, err = isLoopback(endpoint); !ok { if err == nil { @@ -189,7 +239,7 @@ func getIAMRoleURL(endpoint string) (*url.URL, error) { if err != nil { return nil, err } - u.Path = defaultIAMSecurityCredsPath + u.Path = DefaultIAMSecurityCredsPath return u, nil } @@ -203,7 +253,7 @@ func listRoleNames(client *http.Client, u *url.URL, token string) ([]string, err return nil, err } if token != "" { - req.Header.Add(tokenRequestHeader, token) + req.Header.Add(TokenRequestHeader, token) } resp, err := client.Do(req) if err != nil { @@ -258,11 +308,11 @@ func fetchIMDSToken(client *http.Client, endpoint string) (string, error) { ctx, cancel := context.WithTimeout(context.Background(), time.Second) defer cancel() - req, err := http.NewRequestWithContext(ctx, http.MethodPut, endpoint+tokenPath, nil) + req, err := http.NewRequestWithContext(ctx, http.MethodPut, endpoint+TokenPath, nil) if err != nil { return "", err } - req.Header.Add(tokenRequestTTLHeader, tokenTTL) + req.Header.Add(TokenRequestTTLHeader, TokenTTL) resp, err := client.Do(req) if err != nil { return "", err @@ -285,7 +335,7 @@ func fetchIMDSToken(client *http.Client, endpoint string) (string, error) { // reading the response an error will be returned. func getCredentials(client *http.Client, endpoint string) (ec2RoleCredRespBody, error) { if endpoint == "" { - endpoint = defaultIAMRoleEndpoint + endpoint = DefaultIAMRoleEndpoint } // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html @@ -332,7 +382,7 @@ func getCredentials(client *http.Client, endpoint string) (ec2RoleCredRespBody, return ec2RoleCredRespBody{}, err } if token != "" { - req.Header.Add(tokenRequestHeader, token) + req.Header.Add(TokenRequestHeader, token) } resp, err := client.Do(req) diff --git a/vendor/github.com/minio/minio-go/v7/utils.go b/vendor/github.com/minio/minio-go/v7/utils.go index 6a93561ea..e39eba028 100644 --- a/vendor/github.com/minio/minio-go/v7/utils.go +++ b/vendor/github.com/minio/minio-go/v7/utils.go @@ -528,6 +528,14 @@ func isStandardQueryValue(qsKey string) bool { return supportedQueryValues[qsKey] } +// Per documentation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/LogFormat.html#LogFormatCustom, the +// set of query params starting with "x-" are ignored by S3. +const allowedCustomQueryPrefix = "x-" + +func isCustomQueryValue(qsKey string) bool { + return strings.HasPrefix(qsKey, allowedCustomQueryPrefix) +} + var ( md5Pool = sync.Pool{New: func() interface{} { return md5.New() }} sha256Pool = sync.Pool{New: func() interface{} { return sha256.New() }} |